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About This Guide 


This guide gives an overview of OpenWBEM services and Common Information Model (CIM) 
technologies included with Novell® Open Enterprise Server (OES) 2 and how they relate. It also 
describes how to implement these services in your network and configure the OpenWBEM 
Common Information Model Object Manager (CIMOM) on a server running OES 2 Linux (or later) 
or NetWare” 6.5 SP8. 





IMPORTANT: This book contains information for NetWare 6.5 SP8 and Novell Open Enterprise 
Server 2 SPI Linux. For the latest information about using OpenWBEM on Linux, see the Novell 
Open Enterprise Server 2 SP2 Linux or later versions of the OES 2 SP2: OpenWBEM Services 
Administration Guide. 





This guide is divided into the following sections: 


+ Chapter 1, “Overview,” on page 9 

+ Chapter 2, “What's New for OpenWBEM,” on page 11 

+ Chapter 3, “Migrating OpenWBEM from NetWare to OES 2 Linux,” on page 13 
+ Chapter 4, “Running OpenWBEM in a Virtualized Environment,” on page 15 

¢ Chapter 5, “Setting Up OpenWBEM,” on page 17 

+ Chapter 6, “Changing the OpenWBEM CIMOM Configuration,” on page 23 


+ Chapter 7, “Security Considerations,” on page 39 


Audience 


This guide is intended for network administrators. 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with this product. Please use the User Comments feature at the bottom of each page of the 
online documentation, or go to www.novell.com/documentation/feedback.html and enter your 
comments there. 


Documentation Updates 


For the most recent version of the OpenWBEM Services Administration Guide, see the NetWare 6.5 
SP8 Documentation Web site (http://www.novell.com/documentation/nw65). 


Additional Documentation 


For more in-depth information about the Distributed Management Task Force (DMTF) and its 
standards, see the DMTF Web site (http://www.dmtf.org/home). 


For more information on the open source project OpenWBEM, see the OpenWBEM Web site (http:/ 
/openwbem.org). 


About This Guide 


Documentation Conventions 


In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and 
items in a cross-reference path. 


A trademark symbol @, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


When a single pathname can be written with a backslash for some platforms or a forward slash for 
other platforms, the pathname is presented with a backslash. Users of platforms that require a 
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software. 
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Overview 


Novell® Open Enterprise Server (OES) 2 has embraced the open standard strategies of Web-Based 
Enterprise Management (WBEM) proposed by the Distributed Management Task Force (DMTF) 
(http://www.dmtf.org/home). Implementing these strategies can substantially reduce the level of 
complexity associated with managing disparate systems in your network. 


The following information describes a few of the components proposed by the DMTF standards. 
Understanding what these are and how they relate to each other can help you understand what 
OpenWBEM is and how you most effectively use it in your network. 


+ Web-Based Enterprise Management (WBEM) is a set of management and Internet standard 
technologies developed to unify the management of enterprise computing environments. 
WBEM provides the ability for the industry to deliver a well integrated set of standards-based 
management tools leveraging the emerging Web technologies. The DMTF has developed a 
core set of standards that make up WBEM: 


+ A data model: the Common Information Model (CIM) standard 
+ An encoding specification: CIM-XML Encoding Specification 
+ A transport mechanism: CIM Operations over HTTP 


+ The Common Information Model (CIM) is a conceptual information model for describing 
management that is not bound to a particular implementation. This allows for the interchange 
of management information between management systems and applications. This can be either 
agent-to-manager or manager-to-manager communications that provide for distributed system 
management. There are two parts to CIM: the CIM Specification and the CIM Schema. 


The CIM Specification describes the language, naming, and meta schema. The meta schema is 
a formal definition of the model. It defines the terms used to express the model and their usage 
and semantics. The elements of the meta schema are Classes, Properties, and Methods. The 
meta schema also supports Indications and Associations as types of Classes, and References as 
types of Properties. 


The CIM Schema provides the actual model descriptions. The CIM Schema supplies a set of 
classes with properties and associations that provide a well understood conceptual framework 
within which it is possible to organize the available information about the managed 
environment. 


+ The Common Information Model Object Manager (CIMOM) is a CIM object manager or, more 
specifically, an application that manages objects according to the CIM standard. 


+ CIMOM providers are software that performs specific tasks within the CIMOM that are 
requested by client applications. Each provider instruments one or more aspects of the 
CIMOM's schema. 


Open Enterprise Server contains the CIMOM from the OpenWBEM project (http://openwbem.org). 


The packages contained in the Web-based Enterprise Management pattern in the Primary Functions 
category (on Linux) or the OWCIMOMD (WBEM CIMOM Daemon module and other LIBC 
modules on NetWare®) include a set of basic Novell providers, including some sample providers, 
and a base set of accompanying Novell schemas. 


Overview 


As Novell moves forward with OpenWBEM and development of specific providers, it will provide 
tools that offer the following important features: 


¢ Efficient monitoring of network systems 
¢ Recording of alterations within existing management configurations 


+ Hardware inventory and asset management 


Understanding how the OpenWBEM CIMOM is set up and how to configure it can help you 
monitor and manage disparate system in your network with more confidence and ease. 


1.1 What's Next 


For information about the tasks you might want to perform, see the following table. 
Table 1-1 Information Index 


Task See 


Learn about coexistence and migration issues. “Migrating OpenWBEM from NetWare to OES 2 
Linux” on page 13 





Setting Up OpenWBEM “Setting Up OpenWBEM” on page 17 





Learning about virtualization differences “Running OpenWBEM in a Virtualized 
Environment” on page 15 








Configuring OpenWBEM “Changing the OpenWBEM CIMOM Configuration” 
on page 23 
Ensure the server and data are secure “Security Considerations” on page 39 
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What’s New for OpenWBEM 


The features and capabilities in this section were added for OpenWBEM since the initial release of 
NetWare® 6.5 SP7. 


¢ Section 2.1, “NetWare 6.5 SP8,” on page 11 
¢ Section 2.2, “OES 2 and NetWare 6.5 SP7,” on page 11 


2.1 NetWare 6.5 SP8 


There were no changes to OpenWBEM for NetWare 6.5 SP8. 


2.2 OES 2 and NetWare 6.5 SP7 


OpenWBEM in Open Enterprise Server 2 includes the following features that were not in the initial 
release of OES 1 and NetWare 6.5 SP3: 


¢ For OES 2 Linux, OpenWBEM software packages are distributed by the SUSE® Linux 
Enterprise Server 10 software rather than added on by the OES software. 


+ The version of OpenWBEM for Linux is version 3.2. The version for NetWare® is still 3.01. 


What's New for OpenWBEM 11 
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Migrating OpenWBEM from 
NetWare to OES 2 Linux 


The section contains the following information: 


+ Section 3.1, “Coexistence,” on page 13 


¢ Section 3.2, “Migration,” on page 13 


3.1 Coexistence 


This section provides information regarding the compatibility and coexistence of OpenWBEM 
Services with existing networks containing OES 2 NetWare® or Linux platforms. 


3.1.1 Compatibility 


The following table summarizes the compatibility of OpenWBEM Services with various operating 


systems: 


Table 3-1 Compatibility of OES Services using OpenWBEM Services on Various Versions of Operating Systems 


Operating System 


Compatible Versions 


Version of OpenWBEM 

















NetWare OES 2 on NetWare 3.1 
NetWare OES 1 on NetWare 3.1 
NetWare NetWare 6.5 SP3 or later 3.1 
Linux OES 2 on Linux 3.2 
Linux OES 1 on Linux 3.1 
Linux SUSE® Linux Enterprise Server 3.1 
9 SP1 and later 
Linux SUSE Linux Enterprise Server 3.2 


10 and later 





3.1.2 Coexistence Issues 


Unknown. 


3.2 Migration 


When you migrate different OES | services from NetWare to OES 2 Linux, the services should 
automatically convert their use of OpenWBEM on NetWare version 3.1 to OpenWBEM on OES 2 
Linux. You do not need to take any manual steps to make this conversion. 
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If you have modified the openwbem. conf file for your NetWare environment, you might want to 
make the same type of changes in the openwbem.conf file on Linux. 


On OES Linux, the openwbem.conf file is the same name as it is for NetWare but file locations and 
settings are different, so you cannot copy the file directly from NetWare to an OES Linux server. 
The concepts are the same, so you can use the information from the NetWare openwbem. conf file to 
guide you in setting up the configuration on OES Linux. For all differences, see “Changing the 
OpenWBEM CIMOM Configuration” on page 23. 
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Running OpenWBEM in a 
Virtualized Environment 


OpenWBEM runs in a virtualized environment just as it does on a physical NetWare® server or ona 
physical server running OES 2 Linux and requires no special configuration or other changes. 


To get started with virtualization, see “Introduction to Xen Virtualization” (http://www.novell.com/ 
documentation/sles10/book virtualization xen/data/sec xen basics.html) in the Virtualization with 
Xen (http://www.novell.com/documentation/sles10/book virtualization xen/data/ 

book virtualization xen.html) guide. 


For information on setting up virtualized NetWare, see "Installing and Managing NetWare on a Xen- 
based VM” in the OES 2 SP2: Installation Guide. 


For information on setting up virtualized OES 2 Linux, see "Installing, Upgrading, or Updating OES 
on a Xen-based VM” in the OES 2 SP2: Installation Guide. 
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Setting Up OpenWBEM 


This section includes the following information: 
¢ Section 5.1, “Installing OpenWBEM,” on page 17 
+ Section 5.2, “LUM-Enabling OpenWBEM During OES 2 Linux Installation,” on page 17 
+ Section 5.3, “Starting, Stopping, or Checking Status for OWCIMOMD,” on page 17 
+ Section 5.4, “Ensuring Secure Access,” on page 18 


+ Section 5.5, “Setting Up Logging,” on page 21 


5.1 Installing OpenWBEM 


When you install or apply a support pack to Novell® Open Enterprise Server (OES) 2 on NetWare®, 
OpenWBEM is installed by default. 


When you install any component of OES 2 on Linux that is dependent on OpenWBEM packages, 
the OpenWBEM packages from SLES 10 SPI are installed automatically. 


If you want to install only OpenWBEM, you only need to select the Web-Based Enterprise 
Management pattern from the Primary Functions category of the Software Selection page. 


5.2 LUM-Enabling OpenWBEM During OES 2 
Linux Installation 


During the installation of OES 2 Linux or when adding OES 2 Linux on an existing server, ensure 
that you LUM-enable OpenWBEM when you are configuring LUM. This is the default setting. 


If OpenWBEM is not LUM-enabled, the following services might not work as designed on an 
OES 2 Linux server: 


+ Novell iPrint 

+ Novell Remote Manager (NRM) 
+ Novell Samba 

+ Novell Storage Services™ (NSS) 


+ Storage Management Services™ (SMS) 


5.3 Starting, Stopping, or Checking Status for 
OWCIMOMD 


When OpenWBEM is installed, it installs and starts the OpenWBEM cimom daemon (OWCIMOMD) by 
default on OES on Linux and on OES on NetWare. Information in the following table explains how 
to start, stop, and check status for OWCIMOMD. 
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Table 5-1 Commands for Managing OWCIMOMD 





Task Linux Command NetWare Command 

Start OWCIMOMD As root in a console shell, As user Admin or equivalent at the System 
enter rcowcimomd start. Console, enter openwbem. 

Stop OWCIMOMD As root in a console shell, As user Admin or equivalent at the System 
enter rcowcimomd stop. Console, enter unload owcimomd. 

Check As root in a console shell, As user Admin or equivalent at the System 

OWCIMOMD enter rcowcimomd status. Console, enter modules owcimomd. 

status 


You can also view the list of loaded modules by 
using Novell Remote Manager. See "Managing 
Packages” in OES 2 SP2: Novell Remote Manager 
for Linux Administration Guide. 


5.4 Ensuring Secure Access 


The default setup of OpenWBEM is relatively secure. However, you might want to review the 
following to ensure access to OpenWBEM components is as secure as desired for your organization. 


+ Section 5.4.1, “Certificates,” on page 18 
+ Section 5.4.2, “Ports,” on page 19 
+ Section 5.4.3, “Authentication,” on page 20 


5.4.1 Certificates 


Secure Socket Layers (SSL) transports require a certificate for secure communications to occur. 
When OES is installed, OpenWBEM has a self-signed certificate generated for it. 


If desired, you can replace the path for the default certificate with a path to a commercial certificate 
that you have purchased or with a different certificate that you have generated in the 
http server.SSL cert = path filename setting in the openwbem. conf file. 


The default generated certificate is in the following locations: 


Table 5-2 Default Locations for Generated Certificates 








Platform File Location 
Linux /etc/openwbem/servercert.pem 
NetWare sys:/system/cimom/etc/openwbem/hostkey+cert.pem 


If you want to generate a new certificate, use the following commands. Running these commands 
replaces the current certificate, so Novell recommends making a copy of the old certificate before 
generating a new one. 


18 NW 6.5 SP8: OpenWBEM Services Administration Guide 


Table 5-3 Commands for Generating Certificates 








Platform Command 
Linux As root inaconsole shell, enter sh /etc/openwbem/owgencert. 
NetWare As user Admin or with equivalent rights in a Bash console shell, enter: 





/system/cimom/etc/openwbem/owgencert. 


To get a bash prompt, enter bash at the System Console prompt. To exit the 
bash console shell, enter exit. For more information about using bash 
commands on NetWare, see “BASH” in the NW 6.5 SP8: Utilities Reference. 


If you want to change the certificate that OpenWBEM uses, see “Changing the Certificate 
Configuration” on page 30. 


5.4.2 Ports 


OpenWBEM is configured by default to accept all communications through a secure port, 5989. 
Information in the following table explains the port communication setup and recommended 
configuration. 


Table 5-4 Port Communication Setup and Recommended Configurations 


Port 


5989 


Type 


Secure 


Notes and Recommendations 


The secure port that OpenWBEM communications use via HTTPS services. 
This is the default configuration. 


With this setting, all communications between the CIMOM and client applications 
are encrypted when sent over the Internet between servers and workstations. 
Users must authenticate through the client application to view this information. 


Novell recommends that you maintain this setting in the configuration file. 


In order for the OpenWBEM CIMOM to communicate with the necessary 
applications, this port must be open in routers and firewalls if they are present 
between the client application (iManager plug-in) and the nodes being monitored. 





5988 


Non- 
secure 


The non-secure port that OpenWBEM communications use via HTTP services. 
This setting is disabled by default. 


With this setting, all communications between the CIMOM and client applications 
are open for review when sent over the Internet between servers and workstations 
by anyone without any authentication. 


Novell recommends that you use this setting only when attempting to debug a 
problem with the CIMOM. As soon as the problem is resolved, set this back to the 
secure port, 5989. 


In order for the OpenWBEM CIMOM to communicate with the necessary 
applications, this port must be open in routers and firewalls if they are present 
between the client application (iManager plug-in) and the nodes being monitored. 
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If you want to change the default port assignments, see “Changing the Port Configuration” on 
page 30. 


5.4.3 Authentication 


The following authentication settings are set and enabled as the default for each platform for 
OpenWBEM in OES. 


You can change any of the default settings. See “Changing the Authentication Configuration” on 
page 23. 


Linux 
On Linux, the following settings are default: 


+ http server.allow local authentication = true 


* http server.ssl client verification - disabled 





* http server.use digest - fals 
* owcimomd.allow anonymous - false 
* owcimomd.allowed users - * 


* owcimomd.authentication module - /opt/novell/lib/openwbem/authentication/ 
libnovellauthentication.so 


On Linux, the OpenWBEM CIMOM is PAM-enabled; therefore the following can occur: 


* Local users can authenticate to the OpenWBEM CIMOM with local user credentials. 


* If LUM is installed on the server where the OpenWBEM CIMOM is running, then the LUM- 
enabled user can authenticate to the OpenWBEM CIMOM. 


* Ifa LUM-enabled user has the Supervisor right for the Entry Rights property for the UNIX 
Workstation object that represents the Linux server, the OpenWBEM CIMOM grants that user 
Root privileges to that Linux server. 


NetWare 
On NetWare, the following settings are default: 


* http server.allow local authentication - false 


* http server.ssl client verification - disabled 


* http server.use digest - fals 





* owcimomd.allow anonymous = false 
* owcimomd.allowed users - * 


* owcimomd.authentication module - /system/cimom/lib/openwbem/ 
authentication/libnetwareauthentication.nlmldap auth.ldap host - 
127.0.0.11dap auth.cert file - /public/RootCert.der 


You need to reconfigure the LDAP settings as shown in the following table. To change these 
settings, see *owcimomd.authentication module" on page 28. 
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Table 5-5 Recommended Changes for LDAP Settings 


Setting Recommended Change 


Idap_auth.Idap_host Change from a local IP address to the IP address or DNS name of the 
LDAP server for your network. 





Idap_auth.cert_file Change from the public/RootCert. der file on the local server to the 
RootCert.der file for the LDAP server in your network. 


Idap_auth.searchbase Set the LDAP search base to a container where the set of users that are 
using OpenWBEM is in the tree; otherwise, the search starts at the root 
of the tree. 


The following additional LDAP settings are recognized by owcimom.nlm: 


+ ldap auth.ldap port = 636 

+ ldap auth.bind timelimit = 3 
+ ldap auth.binddn = anonymous 
+ ldap auth.bindpw = N/A 


+ ldap auth.search timelimit = 10 seconds 





+ ldap auth.searchscope = sub 








+ ldap auth.user cachesize = 10 entries 


If you want to override these settings, you need to add them to the openwbem. conf file and make 
the changes as desired. To change these settings, see “Configuring Additional LDAP Settings for 
NetWare” on page 28. 


5.5 Setting Up Logging 
By default, logging for OpenWBEM is set up as follows. 


You can change any of the default settings. For more information, see “Changing the Default 
Logging Configuration” on page 31. 


+ Section 5.5.1, “Linux,” on page 21 


+ Section 5.5.2, “NetWare,” on page 22 


5.5.1 Linux 


On Linux, the following settings are default: 


* log.main.components = * 





* log.main.level = ERROR 


* log.main.type = syslog 


This means that OWCIMOMD logging is set up to go to the /var/log/messages file or to other files 
depending on the configuration of syslogd. It logs all errors for all components (OWCIMOMD). 
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5.5.2 NetWare 


On NetWare, the following settings are default: 


* log.main.components = * 





* log.main.level = ERROR 
+ log.main.location = /system/cimom/var/owcimomd. log 
+ log.main.max_backup_index = 1 
+ log.main.max file size = 1000 
+ log.main.type = file 
This means that OWCIMOMD logging is set up to go to the 


sys:\system\cimom\var\owmgmt openwebem 1x nwd. log file. The default file size is 1000 KB 
with one backup file. It logs all errors for all components (OWCIMOMD). 
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Changing the OpenWBEM CIMOM 
Configuration 


When OpenWBEM CIMOM (OWCIMOMD) starts, it receives all of its commands for running 
from the openwbem.conf file. The openwbem.conf file is located in the following locations: 


Table 6-1 Openwbem.conf File Locations 











Platform File Location 
Linux /etc/openwbem/openwbem. conf 
NetWare® sys:\system\cimom\etc\openwbem\openwbem. conf 


Any setting that has the options commented out with a semicolon (;) or pound sign (#) uses the 
default setting. 


When making changes to this file, you can use any text editor that saves the file in a format that is 
native to the platform you are using. 


You can change any of the settings in the openwbem. conf file. This section discusses the following 
configuration settings: 

+ Section 6.1, “Changing the Authentication Configuration,” on page 23 

¢ Section 6.2, “Changing the Certificate Configuration,” on page 30 

+ Section 6.3, “Changing the Port Configuration,” on page 30 

¢ Section 6.4, “Configuring CIMOM Daemons to Bind to IP Addresses,” on page 31 

+ Section 6.5, “Changing the Default Logging Configuration,” on page 31 

¢ Section 6.6, “Configuring Debug Logging,” on page 37 

¢ Section 6.7, “Configuring Additional Logs,” on page 38 


6.1 Changing the Authentication Configuration 


When changing the Authentication configuration, there are several things that you can control: 


+ Who can access the CIMOM 
+ Which LDAP server to use (on NetWare) 
+ Where the LDAP search for users begins (on NetWare) 


+ What authentication module is used 
See the following settings: 


¢ Section 6.1.1, “http_server.allow_local_authentication,” on page 24 
+ Section 6.1.2, “http_server.digest_password_file,” on page 24 


+ Section 6.1.3, “http_server.ssl_client_verification,” on page 25 
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+ Section 6.1.4, “http_server.ssl_trust_store,” on page 25 

+ Section 6.1.5, "http server.use digest," on page 26 

+ Section 6.1.6, “owcimomd.ACL_ superuser,” on page 26 

+ Section 6.1.7, *owcimomd.allowed anonymous," on page 27 

+ Section 6.1.8, “owcimomd.allowed_users,” on page 27 

+ Section 6.1.9, *owcimomd.authentication module," on page 28 


+ Section 6.1.10, "simple auth.password file," on page 29 
6.1.1 http_server.allow_local_authentication 


Purpose 


Directs the http_server to allow local authentication without supplying a password, relying on local 
system file permissions. 


You can use this setting with the Basic or Digest settings. 


Syntax 


http server.allow local authentication = option 


Option Use 
false Disable local authentication. 

This is the default setting for NetWare. 
true Enables local authentication. 


This is the default setting for Linux. 


Example 


http server.allow local authentication - true 


6.1.2 http server.digest password file 


Purpose 


Specifies a location for the password file. This is required if the http server.use digest setting is 
enabled. 


Syntax 
http server.digest password file - path filename 


The following are the default paths and filenames for the digest password files: 
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Platform File Location 








Linux /etc/openwbem/digest auth.passwd 

NetWare /svstem/cimom/etc/openwbem/digest auth.passwd 
Example 

http server.digest password file = /etc/openwbem/digest auth.passwd 





6.1.3 http server.ssl client verification 


Purpose 


Determines whether the server should attempt to authenticate clients with SSL Client Certificate 
verification. 


This setting is disabled bv default. 


Svntax 


http server.ssl client verification = option 


Option Use 


autoupdate Specifies the same functionality as the Optional option; however, previously unknown client 


certificates that pass HTTP authentication are added to a trust store so that subsequent 
client connections with the same certificate do not require HTTP authentication. 


disabled Disables client certificate checking. 
This is the default setting. 
optional Allows a trusted certificate to be authenticated (no HTTP authentication is necessary). 


Also allows an untrusted certificate to pass the SSL handshake if the client passes the 
HTTP authentication. 


required Requires a trusted certificate for the SSL handshake to succeed. 


Example 


http server.ssl client verification = disabled 


6.1.4 http server.ssl trust store 


Purpose 


Specifies a directory containing the OpenSSL trust store. 


Syntax 


http server.ssl trust store - path 
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The following are the default paths for the trust store files. 


Platform File Location 

Linux /etc/openwbem/truststore 

NetWare /system/cimom/etc/openwbem/truststore 
Example 

http server.ssl trust store = /etc/openwbem/truststore 





6.1.5 http_server.use_digest 


Purpose 


Directs the HTTP server to use Digest authentication, which bypasses the Basic authentication 
mechanism. To use Digest, you must set up the digest password file using owdigestgenpass. 


Digest doesn’t use the authentication module specified by the OWCIMOMD.authentication module 
configuration setting. 


Syntax 





http server.use digest = option 


Option Use 
false Enables the Basic authentication mechanism. 
true Disables the Basic authentication mechanism. 


This is the default OpenWBEM setting. However, in OES 2 Linux and NetWare 
this is set to false. 


Example 





http server.use digest - fals 


6.1.6 owcimomd.ACL superuser 


Purpose 


Specifies the username of the user that has access to all Common Information Model (CIM) data in 
all namespaces maintained by the OWCIMOMD. This user can be used to administer the / root / 
security name space, which is where all ACL user rights are stored. 





ACL processing is not enabled until the OpenWBEM Ac11.0.mof file has been imported. 


Syntax 


owcimomd.ACL superuser - username 
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Example 


owcimomd.ACL superuser = root 


6.1.7 owcimomd.allowed_anonymous 


Purpose 


Enables or disables anonymous logins to owmgmt openwebem lx nwd. 


Syntax 


owcimomd.allowed_anonymous = option 


Option Use 
false Requires login with a username and password to access OWCIMOMD data. 


This is the default and recommended setting. 


true Allows anonymous logins to OWCIMOMD. 
This disables authentication. No username or password is required to access OWCIMOMD 
data. 

Example 


owcimomd.allowed_anonymous = false 
6.1.8 owcimomd.allowed_users 


Purpose 


Specifies a list of users who are allowed to access OWCIMOMD data. 


Syntax 


owcimomd.allowed_users = option 


Option Use 
username Specifies one or more users who are allowed to access the OWCIMOMD data. 
Separate each username with a space. 


be Allows all users to authenticate (for example, if you choose to control access with ACLs 
instead). 


This option is enforced for all authentication methods unless owcimomd.allow_anonymous 
is set to true. 


This is the default setting. 
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Example 


owcimomd.allowed_users = bcwhitely jkcarey jlanderson 


6.1.9 owcimomd.authentication_module 


Purpose 


Specifies the authentication module that is used by OWCIMOMD. This setting should be an 
absolute path to the shared library containing the authentication module. 


Syntax 
owcimomd.authentication_module = path_filename 


The following are the default paths and filenames for the authentication modules: 


Platform File Location 

Linux x86 lusr/lib/openwbem/authentication/libnovellauthentication.so 
Linux 64 /usr/lib64/openwbem/authentication/libnovellauthentication.so 
NetWare /system/cimom/lib/openwbem/authentication/ 


libnetwareauthentication.nlm 
Idap auth.ldap host = 127.0.0.1 
Idap auth.cert file /public/RootCert.der 


Idap auth.searchbase = o=novell 


Example on Linux 


owcimomd. authentication module /usr/lib/openwbem/authentication/ 


libnovellauthentication.so 


Example on NetWare 


owcimomd. authentication module = /system/cimom/lib/openwbem/authentication/ 
libnetwareauthentication.nlm 

ldap auth.ldap host = 192.155.27.1 

ldap auth.cert file = /public/RootCert.der 

ldap auth.searchbase - ou-users,ou-provo,o-example company 





Configuring Additional LDAP Settings for NetWare 


The following table lists the additional LDAP settings that are recognized by owcimom.nlm and 
explains their configuration options: 
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Table 6-2 Configuration Options for Additional LDAP Settings Recognized by OWCIMOM.NLM 


Setting with Default Configuration Options 


ldap auth.bind timelimit = 3 Specifies the time (in seconds) that OWCIMOMD spends 
binding to LDAP as a given user. 





ldap auth.binddn - If you want to change these from an anonymous bind, you 
anonymousldap auth.bindpw = N/A must specify a fully distinguished name to bind to the server 
with and a password. For example: 





ldap auth.binddn cn-manager, dc-example, 
dc-com ldap auth.bindpw-secret 





ldap auth.ldap port - 636 If you change the secure port that LDAP is configured to, 
change this port number. 





ldap auth.searchscope - sub Options: sub, one 


sub: Sets the LDAP search to search the container 
specified in the Idap auth.searchbase setting and all of its 
subcontainers. 


Example context: 


o=example company ou=provo ou-provo,ou-users 
ou=provo, ou=sales ou=provo,ou=engineers 


For example, if the searchbase context were set to 
ou-provo,o-example company and the searchscope were 
set to sub, then the Provo container and all its 
subcontainers would be searched. 


one: Sets the LDAP search to search only the container 
specified in the Idap auth.searchbase setting. 


For example, if the searchbase context were set to 
ou-users,ou-provo,o-example company and the 
searchscope were set to one, then only the Users container 
would be searched. 





ldap auth.search timelimit = 10 Specifies the amount of time (in seconds) that OWCIMOMD 
spends searching for a user in LDAP. 








ldap auth.user cachesize - 10 Specifies the number of user authentication entries that are 
cached. Range: 0 to 1000 entries. 


6.1.10 simple auth.password file 


Purpose 
Specifies the path to the password file when the simple authentication module is used. 


This setting is disabled by default. 


Syntax 


simple auth.password file - path filename 
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simple auth.password file = /etc/openwbem/simple auth.passwd 


NetWare Example 


simple auth.password file = /system/cimom/etc/openwbem/simple auth.passwd 


6.2 Changing the Certificate Configuration 


The http_server.SSL_ cert and the http_server.SSL_key settings specify the location of the file or 
files that contains the host's private key and the certificate that is used by OpenSSL for HTTPS 
communications. 


The .pem file is located in the following default locations: 
Table 6-3 .pem File Locations 


Platform File Location 





Linux /etc/openwbem/servercert.pem 


/etc/openwbem/serverkey.pem 








NetWare /system/cimom/etc/openwbem/hostkey+cert.pem 


Syntax 
http server.SSL cert = path filename 
and 


http server.SSL key - path filename 


Linux Example 





http server.SSL cert - /etc/openwbem/servercert.pem 





http server.SSL key = /etc/openwbem/serverkey.pem 





NetWare Example 





http server.SSL cert = /etc/openwbem/hostkevtcert.pem 


6.3 Changing the Port Configuration 


The http_server.http_port and server.https_port settings specify the port number that OWCIMOMD 
listens on for all HTTP and HTTPS communications. 


Syntax 
http_server.http port = option 


or 
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http server.https port = option 


Option Use 


Specific_port_number Specify the specific port for HTTP or HTTPS communications. 
For HTTP, the default port is 5988. 
For HTTPS, the default port is 5989. 


-1 Disables HTTP or HTTPS connections (for example, if you only want to 
support HTTPS connections). 


0 Dynamically assigns a port number at run time. 


Example 
These settings disable the HTTP port and enable port 5989 for HTTPS communications: 
http server.http port = -1 


http server.https port = 5989 


6.4 Configuring CIMOM Daemons to Bind to IP 
Addresses 


You can configure OpenWBEM to bind the CIMOM daemons to all of the IP addresses on a server. 





You can do this by editing the /etc/openwbem/openwbem. conf file. Set the 
http server.listen addresses parameter of the openwbem. conf file to 0.0.0.0, which is the 
default. 





The following is the section to change in the openwbem.conf file: 


http_server.listen_addresses option specifies the local addresses 
to listen on. The option is a space delimited list. 

Each item is either a hostname or an IP address. 

The value 0.0.0.0 means to listen on all local addresses. 

This is a multi-valued option. Whitespace is the separator. 

The default is 0.0.0.0 

http_server.listen addresses = 0.0.0.0 

















6.5 Changing the Default Logging Configuration 


The following log settings in the owcimomd. conf file let you specify where and how much logging 
occurs, the type of errors logged, and the log size, filename, and format: 

+ Section 6.5.1, “log.main.categories,” on page 32 

¢ Section 6.5.2, “log.main.components,” on page 32 

¢ Section 6.5.3, “log.main.format,” on page 33 

+ Section 6.5.4, “log.main.level,” on page 34 

¢ Section 6.5.5, “log.main.location,” on page 35 


+ Section 6.5.6, 'log.main.max backup index,' on page 35 
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+ Section 6.5.7, “log.main.max_file size,” on page 36 


¢ Section 6.5.8, “log.main.type,” on page 36 
If you want to set up debug logging, see Section 6.6, “Configuring Debug Logging,” on page 37. 


If you want to set up additional logs, see Section 6.7, “Configuring Additional Logs,” on page 38. 
6.5.1 log.main.categories 


Purpose 


Specifies the categories the log outputs. 


Syntax 


log.main.categories = option 


Option Use 
category_name Specifies the categories to be logged using a space delimited list. 
The categories used in OWCIMOMD are: 


+ DEBUG 
+ ERROR 
+ FATAL 
* INFO 


For more information about these options, see “log.main.level” on page 34. 


If specified in this option, the predefined categories are not treated as levels, 
but as independent categories. No default is available; if a category is not set, 
no categories are logged and the log.main.level setting is used. 


* All categories are logged. 


This is the default setting. 


Example 





log.main.categories = FATAL ERROR INFO 


6.5.2 log.main.components 


Purpose 


Specifies the components that the log outputs. 


Syntax 


log.main.components = option 
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Option Use 


component_name Specifies the components to be logged (such as OWCIMOMD) using a 
space-delimited list. 


Providers can use their own components. 
Specifies that all components are logged. 


This is the default setting. 


Example 


log.main.components = owcimomd nssd 


6.5.3 log.main.format 


Purpose 


Specifies the format (text mixed with printf() style conversion specifiers) of the log messages. 


Syntax 

log.main.format = conversion specifier 

Option Specifies 

%% % 

%C Component (such as OWCIMOMD) 

%d Date 
Can be followed by a date format specifier enclosed between braces. For example, 
%d£/%H:%M:%S) or Yd{%d Yb %Y %H:%M:%S). If no date format specifier is given, 
then ISO 8601 format is assumed. 
The only addition is %Q, which is the number of milliseconds. 
For more information about the date format specifiers, see the documentation for the 
strftime() function found in the <ctime> header. 

%e Message as XML CDATA. This includes the “<![CDATA[“ and ending “] ]>” 

%F Filename 

%l Filename and line number. For example, file.cpp(100) 

%L Line number 

%M Method name where the logging request was issued (only works on C++ compilers that 
support PRETTY FUNCTION  orC99's func ). 

%m Message 

%n Platform-dependent line separator character (in) or characters (Vin). 

%p Category, also known as level or priority. 
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Option Specifies 


Mr Number of milliseconds elapsed between the start of the application and the creation of 
the logging event. 


%t Thread ID 
in New line 
\t Tab 

\r Line feed 
\\ \ 


\x<hexDigits> Character represented in hexadecimal 


It is possible to change the minimum field width, the maximum field width, and justification. The 
optional format modifier is placed between the percent sign (%) and the conversion character. The 
first optional format modifier is the left justification flag, which is the minus (-) character. The 
optional minimum field width modifier follows, which is an integer that represents the minimum 
number of characters to output. If the data item requires fewer characters, it is padded with spaces on 
either the left or the right, according to the justification flag. If the data item is larger than the 
minimum field width, the field is expanded to accommodate the data. 


The maximum field width modifier is designated by a period (.) followed by a decimal constant. If 
the data item is longer than the maximum field, then the extra characters are removed from the 
beginning of the data item (by default) or from the end (if the left justification flag was specified). 


Examples 


Log4j TTCC layout: 


"$-6r [%15.15t] $-5p $30.30c - $m" 


XML output conforming to log4j.dtd 1.2, which can be processed by Chainsaw (if used, this must be 
on one line; it is split up here for readability): 


"<log4j:event logger-"$c" timestamp="%d{%s%Q}" level="$p" thread-"$t"» 
<log4j:message>%e</log4j:message> <log4j:locationInfo class="" method-"" 
file="$F" line-"$L"/»«/log4j:event»" 


The following is the default: 


log.main.format - [$t]$m 
6.5.4 log.main.level 


Purpose 


Specifies the level the log outputs. If set, the log outputs all predefined categories at and above the 
specified level. 
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Syntax 


log.main.level = option 


Option Use 
DEBUG Logs all Debug, Info, Error, and Fatal error messages. 
ERROR Logs all Error and Fatal error messages. 


This is the default setting. 


FATAL Logs only Fatal error messages. 
INFO Logs all Info, Error, and Fatal error messages. 
Example 





log.main.level = ERROR 


6.5.5 log.main.location 


Purpose 


Specifies the location of the log file OWCIMOMD uses when the log.main.type setting option 
specifies that logging is sent to a file. 


Syntax 


log.main.location = path_filename 


Example 


log.main.location = /system/cimom/var/owcimomd.log 


6.5.6 log.main.max_backup_index 


Purpose 


Specifies the amount of backup logs that are kept before the oldest is erased. 


Syntax 


log.main.backup_index = option 


Option Use 
unsigned_integer_above_0 Specifies the number of backup logs kept. 
The default setting is 1 log file. 


0 No backup logs are made and the log is truncated when it reaches the 
maximum file size. 
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Example 


log.main.max backup index = 1 


6.5.7 log.main.max_file_size 


Purpose 


Specifies the maximum size (in KB) that the OWCIMOMD log can grow to. 


Syntax 

log.main.max file size = option 

Option Use 

unsigned _integer_in_KB Limits the log to a certain size in KB. 

0 Lets the log grow to an unlimited size. 
This is the default setting. 

Example 

log.main.max file size = 0 


6.5.8 log.main.type 


Purpose 


Specifies the type of main log OWCIMOMD uses. 


Syntax 


log.main.type = option 


Option Use 


file Sends all messages to a file that is identified in the log.main.location 
configuration setting. 


On NetWare, this is set using the file option and the log.main.location file is set 
to /system/cimom/var/owcimomd.log 


This is the default setting for NetWare. 
null Disables logging. 
Syslog Sends all messages to the syslog interface. 


This is the default setting for Linux. 


Example 


log.main.type = syslog 
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6.6 Configuring Debug Logging 


If OWCIMOMD is run in debug mode, then the debug log is active with the following settings: 


+ 


+ 


+ 


+ 


+ 


log 
log 
log 
log 
log 


.debug 
.debug 
.debug 
.debug 
.debug 


.categories 


.components 


.format = [$t] 


.level = * 


.type = stderr 


* 


$m 


6.6.1 Debug Log with Color 


If you want a color version of the debug log, use the following ASCII escape codes: 


log.debug.format = Ax1b[1;37;40m[Ax1b[1;31;40m%- 
.6tNx1b[1;37; 40m] \xlb[1;32;40m %m\x1b[0;37;40m 


If you want to use additional colors, use the following codes with the log.debug.format command: 


Table 6-4 Additional Color Codes for the log.debug.format Command 


Color 


red 


Codes 


\x1b[1;31;40m 





dark red 


\x1b[0;31;40m 





green 


dark green 


yellow 


\x1b[1;32;40m 
1x1b[0;32;40m 
\x1b[1;33;40m 





dark yellow 


\x1b[0;33;40m 





blue 


\x1b[1;34;40m 





dark blue 


\x1b[0;34;40m 





purple 


\x1b[1;35;40m 





dark purple 


cyan 


\x1b[0;35;40m 
\x1b[1;36;40m 





dark cyan 


\x1b[0;36;40m 





white 


\x1b[1;37;40m 





dark white 


\x1b[0;37;40m 





gray 


reset color 


\x1b[0;37;40m 
\x1b[0;37;40m 
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6.7 Configuring Additional Logs 


If you want to create additional logs, list the log names under this setting: 
owcimomd.additional logs = logname 


Separate multiple log names with spaces. 


Syntax 
owcimomd.additional logs = logname 
For each log, the following settings apply: 


+ log.log name.categories 

* log.log name.components 

* log.log name.format 

* log.log name.level 

* log.log name.location 

* log.log name.max backup index 


* log.log name.max file size 


Example 


owcimomd.additional logs = errorlogl errorlog2 errorlog3 
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Security Considerations 


This section includes issues that you should consider when installing and configuring OpenWBEM 
services on a Novell® Open Enterprise Server (OES) 2 Linux server. 


+ Section 7.1, “Secure Access,” on page 39 


+ Section 7.2, “CIM Providers,” on page 39 


7.1 Secure Access 


The default setup of OpenWBEM is relatively secure. However, you might want to review the 
following to ensure access to OpenWBEM components is as secure as desired for your organization. 
See “Ensuring Secure Access” on page 18. 


7.2 CIM Providers 


The OWCIMOMD process changes the fsuid (file system UID) of the threads as they execute 
provider code. However, these providers run in the same process space as OWCIMOMD, which 
runs as root. The fsuid change is done for convenience of the providers so that they can determine 
the access that a user has to the file system. This fsuid change provides only a minimal level of 
security. For security purposes, the providers should be considered as running as root. 





IMPORTANT: Because CIM providers must run as root they should be monitored for attacks. 





For example, look in syslog files to find odd patterns of behavior or malicious activity. In addition, if 
CIM or its providers do security logging, look at those log files as well. 
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Documentation Updates 


To help you keep current on updates to the documentation, this section contains information on 
content changes that have been made in this NW 6.5 SP8: OpenWBEM Services Administration 
Guide since the initial release of NetWare 6.5 SP7. 


The documentation was updated on the following dates: 


+ Section A.1, “November 9, 2009,” on page 41 
+ Section A.2, “December 2008,” on page 41 


A.1 November 9, 2009 


This guide has been modified for publication on the NetWare 6.5 SP8 Documentation Web site. 


A.2 December 2008 


Updates were made to the following sections. The changes are explained below. 


* Section A.2.1, “Changing the OpenWBEM CIMOM Configuration," on page 41 
+ Section A.2.2, “What's New for OpenWBEM," on page 41 


A.2.1 Changing the OpenWBEM CIMOM Configuration 


Location Change 


Section 6.4,“Configuring This section is new. 
CIMOM Daemons to 

Bind to IP Addresses,” 

on page 31 


A.2.2 What's New for OpenWBEM 


Location Change 


Section 2.1, "NetWare This section is new. 
6.5 SP8,” on page 11 
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